10 steps to address risk management weaknesses in financial institutions
As the world seeks to extricate itself from the worst financial crisis for many decades, fundamental questions are being asked about the role, responsibilities and limitations of risk management in the world’s financial institutions. Were the tools available to risk managers fit for purpose? Was there appropriate expertise and leadership at a senior level to guide risk management? Did risk managers lack authority to rein in the excesses of risk-takers? And, was there sufficient understanding of potential risk concentrations across the institution’s full range of operations?
Managing risk in perilous times: Practical steps to accelerate recovery is a new Economist Intelligence Unit report, sponsored by ACE, KPMG, SAP and Towers Perrin, that explores current thinking around risk management and proposes ten practical steps that financial institutions could take to strengthen their governance and management of risk. The report is based on a programme of in-depth interviews with leading participants from the financial services industry, along with a selection of independent risk experts.
“Our research suggests that a consensus is gradually emerging around the steps that are required to strengthen risk management in the world’s financial institutions,” says Rob Mitchell, editor of the report. “From governance and leadership to a greater focus on communication and organisational structure, the changes required are widespread and far-reaching, but essential to strengthen the overall resilience of the financial system.”
The report identifies the following ten steps to address current weaknesses in risk management:
* Risk management must be given greater authority. Even if risk managers have the right tools, information and expertise at their disposal, this counts for nothing if they do not have sufficient authority to escalate concerns and curb excessive risk-taking. To address this problem, senior executives should ensure that risk managers have appropriate stature within the organisation, and that this is thoroughly understood by those at the sharp end of the business.
* Senior executives must lead risk management from the top. Leadership and tone from the most senior level is essential. There should be appropriate board oversight of risk, usually through the audit committee or a risk committee. And the chief executive, as the “owner” of risk in the institution, must be seen to elevate the authority of risk management and build a robust, pervasive risk culture.
* Institutions need to review the level of risk expertise in their organisation, particularly at the highest levels. Financial institutions must be confident that they have sufficient risk expertise at the most senior level. Both executives and non-executives should have the tools and information at their disposal to understand the institution’s risk appetite and positions.
* Institutions should pay more attention to the data that populate risk models, and must combine this output with human judgment. No matter how sophisticated, models are limited by the quality of the data feeding them. Even with the best available data, no risk management tool should be used in isolation, and quantitative methods should always be backed up with qualitative approaches and the vital inputs of human judgment and dialogue.
* Stress testing and scenario planning can arm executives with an appropriate response to events. Stress testing must be integrated with the firm’s overall risk management processes, and mechanisms developed to ensure that the results are communicated to senior management in such a way that it is possible for them to formulate a clear response.
* Incentive systems must be constructed so that they reward long-term stability, not short-term profit. Certain aspects of the bonus culture and remuneration models for senior banking executives will need to be overhauled, with some of the rewards being withheld to match the maturity of the underlying business.
* Risk factors should be consolidated across all the institution’s operations. Conversations about risk appetite and risk capacity should not be restricted to the risk function, but should take place throughout the organisation. Equally, risk management should be tightly integrated into operations, and lines of communication should be clear enough that changes in risk levels can be escalated to the correct layer of authority before mitigation becomes impossible.
* Institutions should ensure that they do not rely too heavily on data from external providers. Financial institutions must address their over-dependence on credit ratings, and supplement ratings with their own analysis, which should be continuously updated over the entire period of the investment.
* A careful balance must be struck between the centralisation and decentralisation of risk. A central risk function, determined at a senior level, is essential in order to set risk appetite, implement and monitor controls and provide oversight of the firm’s risk position. But this must also be combined with an approach whereby risk is embedded in the regional office or business unit, such that each profit centre has ownership of its own risks.
* Risk management systems should be adaptive rather than static. The scale and unprecedented nature of the problems that befell the financial markets in late 2008 illustrates the need to conduct continuous observations of the real world and feed these back into the risk management system on a regular basis. This enables the system to correct its inherent weaknesses and respond to changing business conditions.
Managing risk in perilous times: Practical steps to accelerate recovery is available free to download at www.eiu.com/globalriskbriefing
The research for this report is based on a series of in-depth interviews with senior risk professionals and independent experts, combined with a process of desk research that comprised a review of current literature on risk management. Interviews and research were conducted by the Economist Intelligence Unit
|
|
